[00:06.600 --> 00:13.180]  Hi everyone and thank you for choosing this talk and watching our presentation.
[00:14.620 --> 00:22.160]  I hope you are all in good health and the coronavirus pandemic will soon be over.
[00:22.160 --> 00:31.860]  Also, I want to thank the Aerospace Village team for allowing us to present our research.
[00:32.740 --> 00:38.040]  My name is Mohammad Reza Zamidi. I'm a cyber security researcher.
[00:38.040 --> 00:45.660]  I'm mostly interested in cyber physical systems and industrial control systems.
[00:46.000 --> 00:55.980]  My other two colleagues are Reza, which is a reverse engineer, and Javad, who is working as a
[00:55.980 --> 01:05.760]  reverse engineer. So, if you are thinking why we are three persons in a 25-minute talk,
[01:07.180 --> 01:14.320]  and I should say that it was the most time-consuming research we ever had,
[01:14.860 --> 01:22.560]  because we had to make contact with people in the aviation industry.
[01:22.560 --> 01:31.960]  And it wasn't easy to find them. And finally, just a flight engineer
[01:33.040 --> 01:41.660]  answered to our questions. And thanks to him, we have a picture of our work on a real flight
[01:41.660 --> 01:52.540]  management system. Okay, this talk is divided into six main sections. First of all, I will
[01:52.540 --> 02:00.980]  talk about our recent cyber attacks against the aviation industry. Also, some basic stuff about
[02:00.980 --> 02:10.360]  avionics systems, and how these new technologies can turn an airplane into a target for cyber
[02:10.360 --> 02:20.160]  attacks. Secondly, I will explain what is a flight management system, which is one of the most
[02:20.160 --> 02:30.680]  important avionic devices that could be found in a modern aircraft. After that, I will discuss
[02:31.160 --> 02:38.460]  some risk scenarios against flight management systems, and how we can see it from an offensive
[02:39.040 --> 02:49.120]  perspective. Then, I will explain the process of analyzing an FMS data integrity check mechanism,
[02:49.120 --> 03:02.520]  and how we found a weakness that allowed us to bypass it. And finally, we have a demo, which is
[03:05.560 --> 03:12.500]  about bypassing the CRC algorithm and also the malware.
[03:14.800 --> 03:21.840]  Okay, here are some examples of our recent cyber attacks against the aviation industry.
[03:21.840 --> 03:27.160]  The first one was a ransomware attack against New York Airport.
[03:28.040 --> 03:36.800]  Second, the same kind of attack against Albany Airport one year earlier.
[03:37.460 --> 03:50.380]  And also in 2019, Robin Air Group declared that it had experienced a malicious cyber attack
[03:51.440 --> 04:00.060]  on the company's IT network the day before, causing it to cancel all its flights.
[04:00.060 --> 04:04.880]  And in 2018, a ransomware attack turned off the electronic
[04:05.800 --> 04:14.460]  flight information screens at Bristol Airport. So these are only some examples,
[04:14.460 --> 04:19.200]  and we want to show that instead of common malware attacks, and especially
[04:19.200 --> 04:26.380]  designed malware, which is able to target the avionic systems, will be more challenging.
[04:28.340 --> 04:37.240]  Okay, what is avionic systems? A literal blend of the terms aviation and electronics.
[04:37.580 --> 04:47.280]  Avionics is a category of electronic systems and equipment, especially designed for use in aviation.
[04:47.280 --> 04:55.080]  The aviation installed in an aircraft or a spacecraft can include engine control,
[04:56.000 --> 05:05.080]  flight control system, navigation, communication, flight recorders, lighting systems,
[05:05.080 --> 05:11.160]  performance monitor, and systems that carry out hundreds of other mission and
[05:12.320 --> 05:18.500]  flight management tasks. Every modern aircraft, spacecraft, and artificial satellite
[05:19.020 --> 05:25.600]  uses electronic systems of varying types to perform a range of functions
[05:27.820 --> 05:37.460]  pertinent to their purpose and mission. A flight management system is a fundamental
[05:37.460 --> 05:46.600]  component of a modern airliner avionics. In many ways, it is like the GPS in your car,
[05:46.600 --> 05:53.120]  with waypoints programmed in between the origin and the destination.
[05:53.960 --> 06:01.020]  You program in where you are going and off it goes. A primary function is in flight management
[06:01.020 --> 06:09.720]  of the flight plan, using various sensors to determine the aircraft position.
[06:10.360 --> 06:19.000]  The FMS can guide the aircraft along with the flight plan. The FMS will allow the
[06:19.000 --> 06:26.660]  airplane to hook up their autopilot and maintain the heating within a few feet.
[06:34.070 --> 06:40.830]  Okay, typical flight management systems consist of a flight management computer
[06:41.410 --> 06:50.530]  and console display unit, which enable a display and modification of various parameters,
[06:50.530 --> 06:58.770]  as well as allowing the flight crew to select the various FMS operation modes. And also,
[07:00.770 --> 07:06.330]  a data loader is one of its important components.
[07:09.580 --> 07:15.960]  The flight management computer is the heart of a flight management system,
[07:15.960 --> 07:22.780]  providing centralized control for navigation and performance management. The FMS accepts
[07:23.660 --> 07:33.060]  information from numerous navigation sensors, including VOR, distance measuring equipment,
[07:33.060 --> 07:41.560]  GPS. Data from each sensor is prioritized based on its known percentage of error and
[07:41.560 --> 07:48.300]  can be blended to provide the most accurate position information.
[07:50.310 --> 07:56.870]  The flight management computer has a programmable database containing known radio navigation
[07:57.430 --> 08:06.150]  stations, along with their terminal frequencies, airport, seats, and stars, as well as approach
[08:06.150 --> 08:14.170]  data for runways. Because of frequent changes, the database requires updating every 28
[08:14.910 --> 08:22.990]  minutes. This is accomplished by loading electronic media files into some type of data loader,
[08:22.990 --> 08:29.630]  which can vary from a floppy driver or even a compact disk. In some cases,
[08:29.630 --> 08:38.490]  the data loader can be used to download diagnostics or FOD data to the same type of electronic media.
[08:40.970 --> 08:48.230]  The flight plan is generally determined on the ground before departure, either by the
[08:48.230 --> 08:54.510]  pilot for a smaller aircraft or a professional dispatcher for an airliner. It is entered into
[08:54.510 --> 09:03.910]  the FMS either by typing it, selecting it from a saved library or common routes,
[09:03.910 --> 09:11.120]  or via an ACARS data link with the airline dispatch center.
[09:13.680 --> 09:22.880]  All FMSs contain a navigation database, and the navigation database contains the element from
[09:22.880 --> 09:32.860]  which the flight plan is constructed. These are defined via the ARINC 424 standard. The navigation
[09:32.860 --> 09:43.580]  database is normally updated every 28 days to ensure that its contents are current. Each FMS
[09:43.580 --> 09:53.620]  contains only a subset of the ARINC data relevant to the capabilities of the FMS.
[09:54.580 --> 10:01.760]  The NDB contains all of the information required for building a flight plan,
[10:01.760 --> 10:11.700]  consisting of waypoints, airways, airports, and runways. And also, a standard instrument is
[10:11.700 --> 10:18.000]  departure and terminal arrivals, which in summary, we call them CDN stars, that are
[10:18.000 --> 10:25.780]  procedures and checkpoints used to enter and leave the airways, airways system by aircraft
[10:25.780 --> 10:36.780]  operation on the IFR flight plan. Okay, the airliners, airlines have to download NDB updates
[10:36.780 --> 10:45.740]  from the website of FMS vendors. Then they will extract this NDB file using their specific software
[10:45.740 --> 10:53.660]  and then we'll copy them into a floppy disk. After that, the technician will upload NDB files
[10:53.660 --> 11:01.680]  via the data loader to the FMS. The interesting point for us is that the FMS device has the
[11:01.680 --> 11:09.520]  capability of data integrity check and only accept NDB files which are not manipulated.
[11:09.880 --> 11:15.720]  Otherwise, the technician will face an error at the time of loading the NDB file.
[11:19.040 --> 11:26.240]  Okay, so from an offensive standpoint, one of the most likely attack vectors is to manipulate
[11:26.240 --> 11:33.240]  the NDB file which are willing to be loaded on the FMS device. So the attacker will only need
[11:33.240 --> 11:40.480]  to bypass the data integrity check mechanism and after that, we'll be able to manipulate some
[11:40.480 --> 11:51.220]  information which are critical for flight. Data integrity refers to the accuracy and consistency
[11:51.220 --> 12:00.740]  of data over its lifecycle. Maintaining data integrity is a core focus of many enterprise
[12:00.740 --> 12:07.360]  security solutions. Data integrity can be compromised in several ways. Each time data
[12:07.360 --> 12:16.200]  is replicated or transferred, it should remain intact and unaltered between updates.
[12:16.580 --> 12:23.460]  Error checking methods and validation procedures are typically relied on to ensure the integrity
[12:23.460 --> 12:32.420]  of data that is transferred or reproduced without the intention of operation.
[12:34.060 --> 12:41.900]  CRC or cyclic redundancy check is an error detection code. It finds change in data as
[12:41.900 --> 12:50.560]  it's traveled from one computer to another by adding a code to the end of the data string.
[12:51.500 --> 12:58.880]  The sending computer creates the code and the receiving computer checks it. If the code checks
[12:58.880 --> 13:05.660]  out, the data is accurate and if codes don't check out, the data is corrupt.
[13:06.460 --> 13:14.080]  Okay, so here is a real world example. At the left side, you can see the original message
[13:20.740 --> 13:30.220]  here, which is going to be transmitted. And at the center, we have
[13:31.480 --> 13:43.000]  generator polynomial or CRC generator, which is four bits. It's coming from the algorithm.
[13:43.100 --> 13:52.560]  It can be more bits based on the different CRC algorithms. So the point here is that we should
[13:52.560 --> 14:05.780]  add one bit less than its actual length at the end of our original message. Okay, so
[14:09.780 --> 14:19.460]  we have to... this original message should be divided by our CRC generator.
[14:19.460 --> 14:26.680]  But the division of polynomials differs from an integer division. The underlying
[14:28.300 --> 14:36.680]  use of an integer... use of arithmetic for CRC calculation is based on the XOR operation.
[14:36.680 --> 14:44.120]  But I guess many of you have previous knowledge about it. It is very simple and the resulting
[14:44.120 --> 15:03.660]  bit... let me... and the resulting bit evaluates to one if only exactly one of the bits is set.
[15:04.480 --> 15:12.540]  Otherwise, when the numbers are the same, the result will be zero. Okay, so
[15:15.670 --> 15:25.810]  we will continue this operation till the end. And finally, we have here a checksum.
[15:26.130 --> 15:32.050]  This value is called checksum. We should add this to the end of the original message,
[15:32.050 --> 15:38.850]  and the data is ready for transfer. Okay, so at the right side,
[15:39.630 --> 15:49.690]  this is what will happen at the receiver side. If you look, we started here with some zeros and
[15:49.690 --> 15:58.470]  reached to the checksum. So here, the receiver will start this checksum at the end of our message,
[15:58.470 --> 16:08.950]  and it must know the CRC generator. So it is the reverse process of our previous
[16:10.990 --> 16:20.370]  mathematic operation, and it should reach to the zero. And this way, we can ensure that data is
[16:20.370 --> 16:42.690]  not outweighed. Okay, so how we can bypass the CRC check process? As you saw at the previous slide,
[16:42.690 --> 16:49.890]  the mathematic operation of CRC calculation is not very complicated and is easy to analyze.
[16:50.530 --> 16:56.610]  After finding the CRC algorithm, we can implement the same thing on our side.
[16:57.530 --> 17:05.030]  The only step which is challenging is to understand the mathematic operation by
[17:05.030 --> 17:12.470]  reading the assembly code at the time of analyzing the CRC in a computer-based environment.
[17:14.310 --> 17:21.170]  Okay, after bypassing the data integrity check, it's time to complete the attack vector. If we
[17:21.170 --> 17:31.390]  ignore the infection process, the attacker only needs to look for a specific NDB file
[17:31.390 --> 17:37.670]  and can manipulate critical data. In addition to common malware attacks against the aviation
[17:37.670 --> 17:45.580]  industry, a malware that is especially designed to target avionics systems could be very challenging.
[17:46.540 --> 17:53.340]  Okay, here is the whole kill chain scenario. We assume that the first step is done via
[17:53.900 --> 18:03.520]  common attack methods like phishing. In the second step, the malware should be able to
[18:03.520 --> 18:11.700]  fetch the hard drive for the NDB files based on the specific NDB file format or file header.
[18:11.700 --> 18:18.820]  Then it's time for changing some data on the navigation database and bypass the file
[18:18.820 --> 18:27.340]  integrity check. At the fourth step, the technician will copy the manipulated NDB file
[18:27.340 --> 18:36.280]  on the floppy disk. Then he or she will update the FMC device with this NDB file.
[18:36.280 --> 18:43.940]  Finally, the pilot will start flying with this altered NDB and will face some risk scenarios.
[18:44.620 --> 18:53.700]  So what are risk scenarios? Frankly speaking, it is not very clear what will happen.
[18:54.000 --> 19:01.560]  But we know that the data from FMS will be sent for many other avionics systems,
[19:01.560 --> 19:05.840]  and this could make some mistakes and challenge for flight.
[19:06.660 --> 19:15.120]  Also, we know that flying with a manipulated FMS is not safe at all,
[19:15.720 --> 19:22.460]  since many real-life incidents originated from FMS data input error.
[19:24.120 --> 19:30.160]  Okay, let's move on to our research on the data integrity check of Honeywell's flight
[19:30.160 --> 19:38.380]  management system. Honeywell is the biggest FMS manufacturer, and its products can be found on
[19:38.380 --> 19:46.420]  every modern aircraft. Okay, the OneNav tool is a desktop application
[19:46.990 --> 19:54.860]  which interprets the binary data format used by Honeywell FMS. And by using this tool,
[19:54.860 --> 20:02.240]  we can see inside a navigation database. OneNav has a wide capability to decode
[20:03.100 --> 20:12.680]  various formats of a navigation database that's produced by Honeywell.
[20:12.680 --> 20:22.480]  Using OneNav, we can perform compare, export, archive, and plot the NavDB contents,
[20:22.480 --> 20:30.960]  and create loadable media for Honeywell FMS. So after some research, we investigated
[20:31.750 --> 20:39.000]  that Honeywell is using a CRC algorithm for its flight integrity check. If we consider
[20:39.630 --> 20:48.220]  the OneNav as the sender, the FMC will be the receiver. It is clear that both the sender and
[20:48.220 --> 20:55.220]  receiver should use the same CRC generator. By reverse engineering the OneNav software,
[20:55.220 --> 21:03.180]  finally we managed to detect the routine which is responsible for calculating the CRC.
[21:03.180 --> 21:10.080]  Because of security concerns, I'm not going to explain the details of this step.
[21:10.080 --> 21:17.000]  Okay, let's see a demo of our work.
[21:18.330 --> 21:26.780]  This is OneNav and I'm going to use engineering mode of this software. So here
[21:29.410 --> 21:37.480]  I'm opening a database and you can see the CRC is correct. Okay, the first report
[21:40.080 --> 21:46.080]  can manipulate its data. For example, let's look at its...
[21:50.940 --> 22:00.360]  this data is related to its location and I will just copy it, notepad.
[22:07.180 --> 22:16.020]  Okay, we can manipulate this NDB file with a text editor.
[22:17.320 --> 22:30.660]  First, we should search for it. Okay, so just a little bit change
[22:32.120 --> 22:56.600]  and saving as a new NDB file. Okay, if we check for CRC, we can see that it's failed
[22:56.600 --> 23:06.920]  because the NDB file is manipulated and this side will not load on FMC device.
[23:07.040 --> 23:17.520]  Okay, so here is our program which is fixed the CRC check.
[23:38.740 --> 23:45.180]  Okay, so if we check this new file, we can see that CRC is okay
[23:45.180 --> 24:02.760]  and back to production version and we can check the location of the previous airport.
[24:05.420 --> 24:14.600]  Let's see what's happening here. Okay, if you look carefully,
[24:16.740 --> 24:27.360]  you can see that the location is changing. This is just an example of changing critical data.
[24:28.360 --> 24:36.240]  An attacker could change many other data, so it was just for showing a demo.
[24:45.230 --> 24:55.750]  Okay, so as I mentioned before, this is not only a weakness in a computer software.
[24:55.970 --> 25:05.730]  If we can bypass the CRC algorithm in the OneLab, it must be possible to do it on a real FMC device.
[25:06.770 --> 25:16.390]  Okay, thanks to our flight engineer friends, we have a picture of loading our NDB file on a real FMC device.
[25:19.040 --> 25:28.940]  And the final part of this research is the malware which is able to target NDB files and flight management system.
[25:36.350 --> 25:43.630]  This is the automating of the previous demo, but using a malware.
[25:43.650 --> 25:58.720]  Okay, you can see the same airport here. I'm running the malware. Okay, so the file has
[25:59.260 --> 26:06.400]  the same name, but I want to keep it in the OneLab, so I'm going to rename it
[26:07.260 --> 26:16.620]  to show you what happened to this file in contrast to this previous one.
[26:20.870 --> 26:31.650]  Okay, so I'm going to open the same airport, and you can see our malware is working.
[26:38.480 --> 26:46.500]  Okay, about one year ago, we reported the vulnerability to the Honeywell PSIR15.
[26:48.890 --> 26:59.540]  And after some months, they told us that they have issued a mitigation and warned their customers.
[27:01.070 --> 27:07.120]  Okay, thank you guys for watching this presentation. Till the end, I hope you
[27:07.530 --> 27:13.190]  find it useful, and please let me know if you have any questions or comments.
[27:13.390 --> 27:16.150]  Thank you again, and have a good time.
